E.g., the attacker would send: GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1
X-Ignore-This:

And leave the last line empty without a carriage return line feed. Then when the client makes his own request GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1
Cookie: victimscookie

the two requests get glued together into: GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1
X-Ignore-This: GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1
Cookie: victimscookie

And the server uses the victim’s account to send a pizza to the attacker.